The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
The Zed Attack Proxy (ZAP) is an easy-to-use, integrated penetration testing tool. It locates vulnerabilities in web applications and helps you build secure apps. Designed for use by people with a wide range of security experience, it’s also suited for developers and functional testers who are new to penetration testing. With its automated scanner and powerful REST API, ZAP fits seamlessly into your continuous integration environment, allowing you to automate the finding of common issues while you’re still in development.
- Intercepting proxy
- Traditional and AJAX spiders
- Active scanner
- Passive scanner
- Forced Browsing
- Open source
- Cross platform
- Easy to install
- Completely free
- Ease of use a priority
- Comprehensive help pages
- Fully internationalized
- Translated into a dozen languages
- Community-based with involvement actively encouraged
- Under active development by an international team of volunteers
- Dynamic SSL certificates Smart card support
- Web sockets support Authentication and session support Powerful REST based API Support for a wide range of scripting languages
- Automatic updating option Integrated and growing marketplace of add-ons
A quote from a customer:
“ZAP is the best option for people getting into web security:. Matt Tesauro Product Security Engineering Lead “Rackspace ZAP is unequivocally part of my arsenal, for both assessments and teaching opportunities. It’s a wonderful tool when advocating SDL/SDLC to a room full of developers, and it’s equally effective when ripping through a vulnerable web app.” Russ McRee GIAC+, CISSP HolisticInfoSec.org.
Check it out!